close
close

Centralized reporting of cyber incidents can improve effectiveness

Centralized reporting of cyber incidents can improve effectiveness
Centralized reporting of cyber incidents can improve effectiveness

COMMENT

UnitedHealth CEO Andrew Witty spoke in separate Senate and House hearings on May 1 to Testimony on the devastating cyberattack on Change Healthcare in February, which affected millions of Americans and almost 1 billion US dollars in terms of costs.

While they promised to fix glaring security flaws – such as the Missing multi-factor authentication (MFA) on the Change Healthcare portal – Witty also said UnitedHealth supports “standardized and nationalized cybersecurity event reporting” as part of efforts to strengthen the country’s national cybersecurity infrastructure.

Given that there are numerous, often overlapping, cyber incident reporting regulations around the world, this part of his statement didn’t really meet with any resistance. But the big question is: how realistic is this?

Companies and other organizations are faced with an ever-growing number of regulatory and reporting standards, depending on their business activities and the data they process, the Law on reporting cyber incidents for critical infrastructures (CIRCIA) and the EU General Data Protection Regulation (GDPR) to Securities and Exchange Commission Rules for the Health Insurance Portability and Accountability Act (HIPPA) and many others. In total, there are more than 200 regulations that could apply, many of them with ever shorter reporting deadlines – and some of them with teeth in the form of fines, penalties, and even prosecutions.

If a company has a cybersecurity incident, it would be very beneficial to have a central point of reporting rather than reporting it to a multitude of relevant regulators. Report from September 2023“Harmonizing Cyber ​​Incident Reporting to the Federal Government,” the Department of Homeland Security (DHS) recommended establishing a single portal to “streamline the receipt and dissemination” of information. This central reporting point could then provide other regulatory agencies with the necessary information.

The best prospect for such a seamless reporting system is something that has existed for eight years: the National Cyber ​​Incident Response Plan The Commission has signed an agreement to combat terrorism and terrorist financing.

The NCIRP could centralize cyber reporting

The NCIRP, which has now been commissioned by the Biden administration, National Cybersecurity Strategyis currently being updated to better focus on evolving threats and encourage collaboration among the private sector, regulators, federal agencies, interagency partners, and state, local, tribal, and territorial (SLTT) governments, and others. The Cybersecurity and Infrastructure Security Agency (CISA) plans to release the update before the end of the year.

The NCIRP follows four principles:

  • Union: Developing solid partnerships at all levels of government and industry, domestically and internationally.

  • Shared responsibility: Towards action-oriented cooperation that utilizes the full potential of the competencies, skills and expertise of all those involved.

  • Learning from the past: We need to learn from recent history (especially the last eight years) to improve national coordination in response to cyber incidents.

  • Keeping up with developments in cybersecurity: Emphasize proactive steps and agility in clearly defining intended outcomes in an increasingly sophisticated cyber threat landscape.

The goal of the NCIRP is to create a framework for coordinating cyber incidents. Establishing it as a central reporting point and repository for other regulators would simplify reporting for companies and other organizations and make compliance with all regulations more likely.

Companies need to change their approach

Companies now need to do their part, starting with implementing a robust cybersecurity response and reporting program that focuses on implementing responses that emphasize transparency. This may seem obvious, but it goes against the way many companies have operated to date.

For one, it’s rare that someone uses the paper-based emergency response plans they created when managing an incident. Generally, these plans are more general documents that only provide an overarching view of a process. Plans that go into more depth are often so overly detailed and long that it’s not practical to follow them in an emergency. That’s like pulling out an encyclopedia when the house is on fire. Instead, people rely on their gut instinct and what they’ve done before, and that causes things to get chaotic when there are lots of other stakeholders involved.

Second, incident transparency is a new concept in the industry. For legal reasons, the traditional approach has been to keep incident documentation to a minimum to avoid additional liability – write nothing down, communicate only by phone, and ensure that as few people as possible know about an incident. New reporting requirements are changing that. Now companies face greater potential liability if they not report openly or create an audit trail. Companies must be able to demonstrate that they handle cyber incidents quickly, effectively and responsibly.

Companies need to wake up and embrace the new age of transparency. They need a comprehensive program that ensures teams are doing the right things at the right time and are disclosing their work. When preparing for incidents, they need to recognize that a plan is not a program and focus on how to implement their response as part of a proven process that is digitized. This way, they can more easily provide regulators and ultimately their customers with the information they need so they can take all necessary actions to protect themselves.

Transparency and collaboration can protect companies

By promoting transparency and creating audit trails, companies can fulfil their new shared responsibilities and achieve the goal of better information sharing and cooperation, which are also part of the new national strategy. Regulators can then use the reporting requirements to coordinate a joint response.

A unified system with a central reporting point could also provide companies with a safe harbor against liability claims if they have acted transparently and in good faith. Government regulators could be clearer on this. For example, CISA says timely information will not be used against a company, but some companies worry that the SEC could use the notifications to launch an investigation. A central reporting point could set clear rules about the consequences of violations while holding companies accountable for their cybersecurity.

Creating a central reporting system for all government incident reports is the easiest way to promote transparency, collaboration, and improved security across the industry. And given the growing threat landscape, this is becoming an increasingly important component of any successful joint national cybersecurity strategy.

Leave a Reply

Your email address will not be published. Required fields are marked *